Email phishing is the most prevalent form of social engineering — the act of manipulating people into disclosing sensitive data. An attacker will always take the “path of least resistance,” and, unfortunately, that means humans are becoming an easier target than defeating modern security appliances. Worse yet, the attackers are not going to stop at gaining credentials or other sensitive information; they typically also install malware to hunt for other sensitive data.

According to the 2016 Verizon Data Breach Investigation Report, reported phishing incidents have increased 50 percent year-over-year. The “lures” are many, including a famous 2014 cyber-espionage campaign conducted through a vulnerability in malicious PowerPoint presentations. These so-called spear-phishing campaigns were executed by the “Sandworm Team” — believed to be a Russian-based hacker group — to deliver this malware to foreign government officials and energy sector firms.

When security experts conduct requested test phishing campaigns at organizations, they see a 75 percent click rate. In some cases, they are able to gather credentials and personal information from users through convincing web forms. After users have gone through training, the security experts conduct a second campaign to see how effective the initial training was. The click rate dramatically drops to 5-10 percent at that point.

Steps to Take to Prevent Phishing

Focus on the following three areas to set a strong foundation for preventing phishing in your organization:

Start with a mature security awareness program. C-level executives typically have their email addresses published on their organization’s website, which makes them an easy target for spear phishing. Anyone with an email account should go through training on how to identify suspect emails, how to report them and how IT can help communicate current threats.

Email filtering is a must-have for any company. The market is flooded with great products, so analyzing the cost and benefit will most likely work in your favor. If your organization uses Office 365, you get email filtering for free — it just needs a little configuration from your IT department.

Have a tested incident response plan. Pretend an email gets past your filters, a user gets phished, and you have to limit the impact. Have a scenario in your incident response plan for how to identify, report and quarantine a malware attack. Malware works quickly and, according to the Verizon report, only takes days to do its job.

Click here to request our email phishing infographic and learn more about social engineering.

If you have questions about email phishing, contact Bill Gogel, IT Audit Manager, at 314.983.1363 or bgogel@bswllc.com.